Thanks for your reply,
i'll try to explain my problem better.
I'm trying to log all netbios service name registration: as you have
suggested, i've filtered dns traffic on 137/udp port and used a filter for
a specific opcode (Netbios_registration == 5).
In this way, i'm able to log all netbios registrations, but i'm not able to
discern a group name registration from an unique name registration.
Using wireshark, i find this information in an additional record that i
can't see in bro.
For example, using this event
event dns_request (c:connection, msg: dns_msg, query: string, qtype: count,
qclass: count)
{
print (msg$num_addl);
}
I can see the presence of an additional record in the packet (msg$num_addl
=1), but i can't see its value.
How can i do in Bro?
Thanks
Vito
2014-10-23 15:52 GMT+02:00 Seth Hall <seth at icir.org>:
>> On Oct 23, 2014, at 8:16 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>> > How can i filter netbios name service registration?
>> It all shows up in dns.log and you are given access to it through the
> various DNS events. Could you describe what you are trying to accomplish?
> Providing a packet capture and describing what you want to get out of it
> would be the most useful.
>> .Seth
>> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
>http://www.bro.org/>>-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141027/8b8248da/attachment.html